For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/bash-security/avoid-eval-on-list-expansions.md. A documentation index is available at /llms.txt.

Avoid eval on list expansions ($@ and ${name[@]})

This product is not supported for your selected Datadog site. ().

Metadata

ID: bash-security/avoid-eval-on-list-expansions

Language: Bash

Severity: Error

Category: Security

CWE: 78

Description

List expansions expand to multiple words—chiefly $@ (positional parameters) and ${name[@]} (array elements). Feeding those into eval runs another round of shell parsing on the expanded words, so quoting and word boundaries can shift in dangerous ways and open the door to command injection (CWE-78).

Prefer fixing the data flow, calling commands without eval, or restructuring so each argument is handled safely without another round of shell parsing.

Non-Compliant Code Examples

#!/bin/bash
eval "$@"
eval "${files[@]}"
eval $@ foo
eval ${arr[@]}

Compliant Code Examples

#!/bin/bash
eval "echo hello"
eval "$foo"
eval "${arr[0]}"
printf '%s\n' "$@"
cmd "$@"
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security